XenForo 2.1.15 Patch 1, 2.2.16 Patch 2 and XenForo Media Gallery (Security Fixes)

XenForo 2.1.15 Patch 1, 2.2.16 Patch 2 and XenForo Media Gallery (Security Fixes) Security Fixes

No permission to download
Author jessy
Creation date
Overview History Discussion
XF Compatibility
  1. 2.1.x
  2. 2.2.x
Headline
a potential security vulnerability has been identified.
Short Description
Download and Discuss Premium, Business XenForo 2.1.15 Patch 1, 2.2.16 Patch 2 and XenForo Media Gallery (Security Fixes) Security Fixes version on NullPro Community. From XenForo 2.1.15 Patch 1, 2.2.16 Patch 2 and XenForo Media Gallery (Security Fixes) have 1 Description Attachments, 28 Views.

1717683507360.png

Security Fix​

Today we are advising all customers running XenForo that a potential security vulnerability has been identified. All affected customers should either upgrade to XenForo 2.1.15 or XenForo 2.2.16.

If you are a XenForo Cloud customer, a fix has been rolled out automatically, and no further action is required to address this issue.

If you are running a pre-release version of XenForo 2.3, you should follow the instructions in the announcement thread for the XenForo 2.3.0 Release Candidate 1 release.

The issue relates to a potential cross-site request forgery and code injection vulnerability which could lead to a remote code execution (RCE) or cross-site scripting (XSS) exploit.

XenForo extends thanks to independent security researcher, Egidio Romano (EgiX), working with SSD Secure Disclosure.

We recommend doing a full upgrade to resolve the issue, but a patch can be applied manually to any version. See below for further details.


Applying a patch manually​

To patch this issue manually you will need to edit one file manually and upload some changed files.


Step 1: Edit​

src/XF.php​

Click to expand...
Find the following line in this file:

PHP: 
$parts = explode(':', $string, 3);
Replace that line with the following:
to

PHP: 
      if (!$string) return '';
if (strpos($string, ':') === false)
{
$pattern = '#^\\\?'
. str_replace('%s', '([A-Za-z0-9_\\\]+)', preg_quote(ltrim($formatter, '\\')))
. '$#';
if (!preg_match($pattern, $string, $matches))
{
throw new \InvalidArgumentException(sprintf(
 'Class %s does not match formatter pattern %s',
 $string,
$formatter
));
 }
// already a class
return $string;
 }
$parts = explode(':', $string, 3);


Note: This file cannot be patched automatically as it contains install-specific data. You must apply this change manually to any XenForo installation running XenForo 2.1 or 2.2 to effectively fix the issue.


Step 2: Upload XF files​

  • Download either 2115-patch.zip (for XenForo 2.1) or 2216-patch.zip (for XenForo 2.2).
  • Extract the .zip file
  • Upload the contents of the upload directory to the root of your XenForo installation

Step 3: Upload XFMG files (for XenForo Media Gallery customers only)​

  • Download either xfmg219-patch.zip (for XenForo Media Gallery 2.1) or xfmg226-patch.zip (for XenForo Media Gallery 2.2).
  • Extract the .zip file
  • Upload the contents of the upload directory to the root of your XenForo installation
Author
jessy
Views
28
First release
Last update
Rating
0.00 star(s) 0 ratings
Join the discussion More information
Link was Broken? Please  Send Message to NP Team with Ticket, You will get it very quickly!
Support Developer If you are satisfied with your test or project have earn money successfully, Maybe you can click more information button to support with buying.
More resources from jessy
Share this resource

Similar resources

Xenforo Core Full Package Nulled J
Xenforo Core Full Package Nulled 2.2.16 Patch 2
Xenforo Core full package
5.00 star(s) 3 ratings
Views
1,084
Updated
Xenforo Core Upgrade Package Nulled J
Xenforo Core Upgrade Package Nulled 2.3.0 RC4
For Xenforo 2.x upgrade
0.00 star(s) 0 ratings
Views
684
Updated
XenForo Enhanced Search N
XenForo Enhanced Search 2.3.0 RC3
an add-on that replaces the built-in XenForo search system
0.00 star(s) 0 ratings
Views
683
Updated
Back
Top